Research Findings:

  • reCAPTCHA v2 is not effective in preventing bots and fraud, despite its intended purpose
  • reCAPTCHA v2 can be defeated by bots 70-100% of the time
  • reCAPTCHA v3, the latest version, is also vulnerable to attacks and has been beaten 97% of the time
  • reCAPTCHA interactions impose a significant cost on users, with an estimated 819 million hours of human time spent on reCAPTCHA over 13 years, which corresponds to at least $6.1 billion USD in wages
  • Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set
  • Google should bear the cost of detecting bots, rather than shifting it to users

“The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service,” the paper declares.

In a statement provided to The Register after this story was filed, a Google spokesperson said: “reCAPTCHA user data is not used for any other purpose than to improve the reCAPTCHA service, which the terms of service make clear. Further, a majority of our user base have moved to reCAPTCHA v3, which improves fraud detection with invisible scoring. Even if a site were still on the previous generation of the product, reCAPTCHA v2 visual challenge images are all pre-labeled and user input plays no role in image labeling.”

  • sugar_in_your_tea
    link
    fedilink
    English
    arrow-up
    6
    ·
    4 months ago

    Yup. I like Cloudflare’s checkbox, it works well and probably catches more bots than reCaptcha while being simple for humans.

      • sugar_in_your_tea
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        No, it tracks things like mouse movements to see if it looks human or like a bot. Humans don’t move the mouse in a straight line, there’s some jitter and whatnot, whereas bots will look quite a bit different.

        • Vlyn@lemmy.zip
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          That’s super easy to fake for a bot…

          It’s a ton more than mouse movement. Lots of browser fingerprinting for example and tracking.

          • sugar_in_your_tea
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 months ago

            Yup. It does do a lot more than the checkbox, but the checkbox itself mostly does mouse movement and click tests.